diff options
author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-12 21:47:13 +0000 |
---|---|---|
committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-12 21:47:13 +0000 |
commit | 5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e (patch) | |
tree | f7c4c2ed3d7844cbdafb088cd69f1f1e89d65d4e /sandbox | |
parent | d91fe77748cc7c1b4af46c3fb6fd72a4d080a9e5 (diff) | |
download | chromium_src-5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e.zip chromium_src-5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e.tar.gz chromium_src-5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e.tar.bz2 |
Linux sandbox: fix security issue.
(Reported by Julien Tinnes)
Because the chroot helper process and the zygote share a FILES
structure, the latter can race the former and change the value of cwd
before it does chroot("."). Because of this, the zygote could chroot
into a directory of its choosing. Once there, it could setup hardlinks
to SUID binaries and possibly make them misbehave if they weren't
sufficiently paranoid.
This possibility should have been migigated by the removal of
dangerous environment variables. However, we had to reinstate them in
order to pass LD_LIBRARY_PATH because some setups don't have ld.so
setup to use /usr/lib32 and also for ffmpeg.
http://codereview.chromium.org/164427
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23228 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
-rw-r--r-- | sandbox/linux/suid/sandbox.cc | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sandbox/linux/suid/sandbox.cc b/sandbox/linux/suid/sandbox.cc index 26aee65..ea6b232 100644 --- a/sandbox/linux/suid/sandbox.cc +++ b/sandbox/linux/suid/sandbox.cc @@ -121,13 +121,17 @@ static int CloneChrootHelperProcess() { fchmod(chroot_dir_fd, 0000 /* no-access */); struct stat st; - if (stat(".", &st)) + if (fstat(chroot_dir_fd, &st)) FatalError("stat"); if (st.st_uid || st.st_gid || st.st_mode & S_IWOTH) FatalError("Bad permissions on chroot temp directory"); - if (chroot(".")) + char proc_self_fd_str[128]; + snprintf(proc_self_fd_str, sizeof(proc_self_fd_str), "/proc/self/fd/%d", + chroot_dir_fd); + + if (chroot(proc_self_fd_str)) FatalError("Cannot chroot into temp directory"); if (chdir("/")) |